The Top 7 Myths About HTTPS Site Conversion

Misconceptions and old rumors abound about converting your site to HTTPS including, why you should do it, why an SSL certificate and plugin are not enough, loss of backlinks, why a green padlock could be misleading, plus site security and performance issues.

Clear up those myths and see how to avoid headaches with the conversion process.

Myth 1: I don’t sell anything so I don’t need HTTPS

Just because you don’t take payments on your site doesn’t mean you don’t need to convert to HTTPS.

Encrypting your site’s data, both to and from the visitor’s browser makes surfing the web safer for everyone.

And visitors are definitely starting to be more savvy about looking for that little green padlock in the URL bar now too.

That’s mainly because browsers are starting to warn them about it in any fields they fill in on your site.

Want folks to sign up for your newsletter?

UPDATED 8/20/17 – This is a reality now. Google Chrome will show a NOT SECURE warning on any non-https sites collecting any type of data. Details here

You may start losing some of those when a browser warns them that their email address is being sent on an unsecured connection.

Myth 2: No Loss of Backlinks or Ranking

Backlinks

You could be losing valuable backlinks to your site and lowering your ranking with Google if your site is not HTTPS.

Here’s a real world example that I’ve seen with my clients.

Site A features a link to Site B.

Site A converts to HTTPS and discovers a mixed media warning on the link to Site B.

There is no HTTPS version of the link from Site B because they have not converted yet.

Site A removes the link to Site B.

A mixed media warning would knock Site A out of HTTPS encrypted delivery.

And that warning is visible to visitors, so it’s a big no-no.

Site B is just going to lose that valuable backlink until they convert their site to HTTPS.

Here’s another real world example.

Site A is in a blogging carnival.

Common images are shared from Site B with multiple other sites, including Site A.

Site A is HTTPS and Site B is not.

All of the image links from Site B cause mixed media warnings on Site A.

The choices for the Site A owner are:

Not to participate in the blogging carnival

Or upload all of the images to her own site

Neither of those choices is ideal.

So it behooves every site owner involved to convert their sites to HTTPS asap or they stand a chance of being shunned as a source of images in blogging carnivals as more and more participants make the switch.

Pinterest Links

If you get a real HTTPS conversion, you will not suffer any redirect issues of your Pinterest links.

HTTPS is a protocol.

If converted properly, all traffic is forced to simply connect to a different, secured port on the server from your HTTP link.

If converted improperly, it could set up a redirect chain from hell. And I doubt Pinterest will be very happy with that!!

You will need to update the link to your Pinterest profile to https as well. But you won’t need to reverify your site. (Same with all other social platforms.)

Cloudflare SSL

If you use CloudFlare, or another CDN, your site data has two legs in the journey.

The path from you host to Cloudflare

The path from Cloudflare to the visitor’s browser

If an SSL is not at both sources, the host and Cloudflare, you’re only encrypting the data for half the journey.

That opens you up to man-in-the-middle peeping Toms and hacks.

Plus, if you ever need to put Cloudflare in Development mode, or delete your site from Cloudflare for troubleshooting, poof goes your HTTPS.

Myth 4: My host can do it for free or with a plugin.

Hahahahahahahahaha.

Were it that simple!!!!

This is the duct tape / chicken wire way.

Your site is not actually converted to HTTPS!

Many hosts are trying their best to make it easy for site owners to DIY an HTTPS conversion.

Hosts are:

pre-issuing free SSL certificates

changing a couple of links

Providing or recommending a plugin to redirect all links from HTTP to HTTPS.

Read that again – the plugin only redirects all links.

That includes all page/post permalinks, plus all of the internal links on those pages/posts.

Not only is that a performance issue, it’s a security issue.

Those links are all over the place, in places like:

WordPress itself

The database

All of your page/post content

Widgets

Theme files

Redirects

.htaccess

XML sitemap links

The links in the theme files can be especially problematic for calling in things like your site logo image and favicon.

Ask yourself this – do you really want your header logo image file to be redirected on every page load?

And then there are the redirects you intentionally create. They can be all over the place too, like in redirect plugins, .htaccess, cPanel, etc. The plugins just aren’t going to cover all those. And the ones they do cover are now going to have multiple redirects.

Plus, you need to force all versions of your site URLs to use the new HTTPS canonical.

Have fun figuring out which regex code to put in your .htaccess file.

I’ve tested 14 of them, including the ones leading hosts recommend, and the ones added by plugins.

So far, all but 2 give undesirable redirects and neither of them are recommended by hosts or used by plugins.

Some of these codes redirect 3 times before landing on the proper link.

That will cause a performance issue and may even lead to a warning for too many redirects.

Worse, some of those regex codes give 302 redirects instead of 301, which drops coveted “link juice” with Google.

So, while a plugin may seem like a good way to go for ease, look at how it actually works. It’s awful for your site.

And you’re stuck with that plugin for the entire time you own your site too.

It’s WAY better to actually get the site converted properly and not rely on something that could break or may not be around in a year or two.

Myth 5: I have a green padlock so I’m all done.

That green padlock may be displaying because non HTTPS elements of your site are so egregious that they are being blocked by the browser.

Beyond that, the visitor’s browser is checking the SSL certificate score and for additional security headers. Those headers have to be added manually.

The main security header you need, according to Google and other security entities, is HSTS so the browser will see this as a safe, truly encrypted site and preload it.

There is even a Chrome HSTS preload safe list that you have to submit your site to. And other browsers are making use of that list now too (with Google’s blessing).

Myth 6: HTTPS will make my site more secure.

Yes and no.

HTTPS will make the data traveling to and from your site more secure, in that it is encrypted. That means hacker Peeping Toms can’t see it as it travels across the internet.

But HTTPS will do nothing to secure your site from other hack attacks that come mainly through open doors to your site, like

plugins and themes that are out of date

brute force attacks

lack of security at the root

You still need to secure your site from the root up. And it’s a good idea to get on a paid WAF (Web Application Firewall) now too.

Forget those behemoth security plugins getting the job done. In fact, most of them are just resource hogs and aren’t fully protecting your site.

Myth 7: HTTPS will slow my site down.

Not anymore.

Now we have the HTTP/2 protocol and all major browsers have finally adopted it.

With HTTP/1, all data to and from a site had to travel in a serial fashion, meaning one bit after the other.

With HTTP/2, multiple data streams can travel in parallel, radically increasing the speed.

Browser adoption of the HTTP/2 protocol is one of the main reasons why we now have such a push to move forward with HTTPS encryption.

Want help with your HTTPS conversion?

All of my clients can tell you how much cheaper it is to hire a pro than to try to DIY this kind of project because it’s so invasive and involves so many site elements. I provide a pre-conversion checklist so we catch all those gotchas and address them prior to the conversion. Makes the whole process smoother.

And I don’t clean up botched conversions either. They are just too invasive to every element on your site to try to undo.

This is one project you definitely want to get help with and KNOW that it’s right.

Want to learn how to do HTTPS conversions for your clients?

Designers – this training is made with you in mind.

I‘ve spent over 100 hours researching and testing all conversion methods on the web, including the ones many leading hosts make available. And I’ve put the easiest and best method together for you.

And the best part – one conversion job will pay for the training. You’ll be taking business you couldn’t get before too.

Jump up to Webmaster Level 6 and enjoy support from me and other webmasters in our private Facebook group and live meetings. That alone is a pot of gold resource!! That’s what the other Level 6 webmasters say. Read their testimonials on the home page and see for yourself.

About MaAnna Stephenson

MaAnna is a geek who can still speak in plain English. She helps DIY site owners plus webmasters and designers create sites that are secure, perform well, and get noticed by search engines and readers.

This book could save you hundreds of dollars and months of frustration. Get it free with your subscription to BlogAid News plus my blog posts.Privacy Policy

Enter Your Email

Reader Interactions

Primary Sidebar

This book could save you hundreds of dollars and months of frustration. Get it free with your subscription to BlogAid News plus my blog posts.Privacy Policy

Enter Your Email

Hi! I'm MaAnna, and a geek who can still speak in plain English. I help DIY site owners plus webmasters and designers create sites that are secure, perform well, and get noticed by search engines and readers. How May I Help You?

Disclosure: Some of the links on this website may be affiliate links. When you make a purchase from these links, I earn a small commission. While commissions allow me to keep this site 100% free, I only endorse products I trust and use for myself and clients.